A financially motivated group of hackers, identified as UNC6040, is employing a new tactic to infiltrate enterprise environments by impersonating IT support staff over the phone. This form of social engineering, known as voice phishing (vishing), allows the attackers to manipulate employees into granting unwarranted access to sensitive systems.
According to a recent report from Google’s Threat Intelligence Group (GTIG), the hackers target primarily English-speaking employees of multinational corporations. By posing as internal tech staff, they aim to obtain access to systems using a modified version of Salesforce’s legitimate Data Loader tool, often disguised under names like “My Ticket Portal” to align with IT support themes. This tactic relies more on human error than on security vulnerabilities.
Once the attackers gain access, they can query and extract large volumes of data from the targeted organizations. UNC6040 has been observed to start with small data queries to avoid detection, gradually ramping up the scale of their operations as they maintain access to the systems. Interestingly, the data theft does not always lead directly to immediate extortion demands; rather, attackers may delay threats for months, associating themselves with notorious hacking groups such as ShinyHunters to increase their intimidation tactics on victims.
Targeting not just Salesforce, UNC6040 has been reported to navigate laterally through corporate systems to seize access to additional platforms like Okta and Microsoft 365. This lateral movement provides the group with further avenues for data collection and enhances their leverage for potential extortion efforts.
GTIG recommends that corporations take proactive steps to protect against these vulnerabilities. Access to critical tools like Data Loader should be limited strictly to essential personnel and regularly reviewed. It is also critical to manage which connected applications are allowed access to organizational systems. To thwart unauthorized accesses, especially through VPNs, companies should restrict logins to trusted IP ranges. Monitoring tools that can flag large-scale data exports in real time, such as Salesforce Shield, can also enhance security. Moreover, multi-factor authentication (MFA), despite not being foolproof, provides an essential layer of protection when employees are trained to recognize phishing tactics effectively.